Formal Methods in System Design

, Volume 43, Issue 3, pp 369–413 | Cite as

Composition of password-based protocols

  • Céline Chevalier
  • Stéphanie Delaune
  • Steve Kremer
  • Mark D. Ryan
Article

Abstract

Formal and symbolic techniques are extremely useful for modelling and analysing security protocols. They have helped to improve our understanding of such protocols, allowed us to discover flaws, and they also provide support for protocol design. However, such analyses usually consider that the protocol is executed in isolation or assume a bounded number of protocol sessions. Hence, no security guarantee is provided when the protocol is executed in a more complex environment.

In this paper, we study whether password protocols can be safely composed, even when a same password is reused. More precisely, we present a transformation which maps a password protocol that is secure for a single protocol session (a decidable problem) to a protocol that is secure for an unbounded number of sessions. Our result provides an effective strategy to design secure password protocols: (i) design a protocol intended to be secure for one protocol session; (ii) apply our transformation and obtain a protocol which is secure for an unbounded number of sessions. Our technique also applies to compose different password protocols allowing us to obtain both inter-protocol and inter-session composition.

Keywords

Security protocols Formal analysis Composition 

References

  1. 1.
    Abadi M, Baudet M, Warinschi B (2006) Guessing attacks and the computational soundness of static equivalence. In: Aceto L, Ingólfsdóttir A (eds) Proc 9th international conference on foundations of software science and computation structures (FoSSaCS’06), March 2006. Lecture notes in computer science, vol 3921. Springer, Berlin, pp 398–412 CrossRefGoogle Scholar
  2. 2.
    Abadi M, Fournet C (2001) Mobile values, new names, and secure communication. In: Nielson HR (ed) Proc 28th symposium on principles of programming languages (POPL’01). ACM, New York, pp 104–115 Google Scholar
  3. 3.
    Abadi M, Gordon AD (1997) A calculus for cryptographic protocols: the spi calculus. In: Proc 4th conference on computer and communications security (CCS’97). ACM, New York, pp 36–47 Google Scholar
  4. 4.
    Abdalla M, Chevalier C, Granboulan L, Pointcheval D (2011) UC-secure group key exchange with password-based authentication in the standard model. In: Proc the cryptographers’ track at the RSA conference (CT-RSA’11). Lecture notes in computer science, vol 6558. Springer, Berlin, pp 142–160 Google Scholar
  5. 5.
    Abdalla M, Chevalier C, Pointcheval D (2009) Smooth projective hashing for conditionally extractable commitments. In: Advances in cryptology—CRYPTO’09. Lecture notes in computer science, vol 5677. Springer, Berlin, pp 671–689 Google Scholar
  6. 6.
    Andova S, Cremers CJF, Gjøsteen K, Mauw S, Mjølsnes SF, Radomirovic S (2008) A framework for compositional verification of security protocols. Inf Comput 206(2–4):425–459 CrossRefMATHGoogle Scholar
  7. 7.
    Arapinis M, Delaune S, Kremer S (2008) From one session to many: dynamic tags for security protocols. In: Proc 15th international conference on logic for programming, artificial intelligence, and reasoning (LPAR’08). Lecture notes in artificial intelligence, vol 5330. Springer, Berlin, pp 128–142 CrossRefGoogle Scholar
  8. 8.
    Arapinis M, Duflot M (2007) Bounding messages for free in security protocols. In: Proc 27th conference on foundations of software technology and theoretical computer science (FST&TCS’07). Lecture notes in computer science, vol 4855. Springer, Berlin, pp 376–387 Google Scholar
  9. 9.
    Armando A, Basin DA, Boichut Y, Chevalier Y, Compagna L, Cuéllar J, Drielsma PH, Héam P-C, Kouchnarenko O, Mantovani J, Mödersheim S, von Oheimb D, Rusinowitch M, Santiago J, Turuani M, Viganò L, Vigneron L (2005) The Avispa tool for the automated validation of Internet security protocols and applications. In: Proc 17th international conference on computer aided verification (CAV’05). Lecture notes in computer science, vol 3576, pp 281–285 CrossRefGoogle Scholar
  10. 10.
    Barak B, Lindell Y, Rabin T (2004) Protocol initialization for the framework of universal composability. Cryptology ePrint Archive, Report 2004/006. http://eprint.iacr.org/
  11. 11.
  12. 12.
    Baudet M (2005) Deciding security of protocols against off-line guessing attacks. In: Proc 12th ACM conference on computer and communications security (CCS’05), November 2005. ACM, New York, pp 16–25 CrossRefGoogle Scholar
  13. 13.
    Baudet M (2007) Sécurité des protocoles cryptographiques : aspects logiques et calculatoires. Thèse de doctorat, Laboratoire Spécification et Vérification, ENS Cachan, France, January 2007 Google Scholar
  14. 14.
    Bellovin SM, Merritt M (1992) Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proc symposium on security and privacy (SP’92). IEEE Comput Soc, Los Alamitos, pp 72–84 CrossRefGoogle Scholar
  15. 15.
    Blanchet B (2001) An efficient cryptographic protocol verifier based on prolog rules. In: Proc 14th computer security foundations workshop (CSFW’01), June 2001. IEEE Comput Soc, Los Alamitos, pp 82–96 CrossRefGoogle Scholar
  16. 16.
    Blanchet B (2004) Automatic proof of strong secrecy for security protocols. In: Proc symposium on security and privacy (SP’04), May 2004. IEEE Comput Soc, Los Alamitos, pp 86–100 Google Scholar
  17. 17.
    Blanchet B, Podelski A (2003) Verification of cryptographic protocols: tagging enforces termination. In: Proc foundations of software science and computation structures (FoSSaCS’03). Lecture notes in computer science, vol 2620. Springer, Berlin, pp 136–152 CrossRefGoogle Scholar
  18. 18.
    Boyen X, Chevalier C, Fuchsbauer G, Pointcheval D (2010) Strong cryptography from weak secrets: building efficient PKE and IBE from distributed passwords in bilinear groups. In: Progress in cryptology—AFRICACRYPT’10. Lecture notes in computer science, vol 6055. Springer, Berlin, pp 297–315 Google Scholar
  19. 19.
    Boyko V, MacKenzie PD, Patel S (2000) Provably secure password-authenticated key exchange using Diffie-Hellman. In: Advances in cryptology—EUROCRYPT’00. Lecture notes in computer science, vol 1807. Springer, Berlin, pp 156–171 Google Scholar
  20. 20.
    Canetti R (2001) Universally composable security: a new paradigm for cryptographic protocols. In: Proc 42nd annual symposium on foundations of computer science (FOCS’01). IEEE Comput Soc, Los Alamitos, pp 136–145 Google Scholar
  21. 21.
    Canetti R, Halevi S, Katz J, Lindell Y, MacKenzie PD (2005) Universally composable password-based key exchange. In: Advances in cryptology—EUROCRYPT’05. Lecture notes in computer science, vol 3494. Springer, Berlin, pp 404–421 Google Scholar
  22. 22.
    Cohen E (2002) Proving cryptographic protocols safe from guessing attacks. In: Proc foundations of computer security (FCS’02) Google Scholar
  23. 23.
    Corin R, Doumen J, Etalle S (2005) Analysing password protocol security against off-line dictionary attacks. Electron Notes Theor Comput Sci 121:47–63 CrossRefGoogle Scholar
  24. 24.
    Corin R, Malladi S, Alves-Foss J, Etalle S (2003) Guess what? Here is a new tool that finds some new guessing attacks. In: Proc of the workshop on issues in the theory of security (WITS’03) Google Scholar
  25. 25.
    Cortier V, Delaitre J, Delaune S (2007) Safely composing security protocols. In: Arvind V, Prasad S (eds) Proc 27th conference on foundations of software technology and theoretical computer science (FSTTCS’07), December 2007. Lecture notes in computer science. Springer, Berlin Google Scholar
  26. 26.
    Cortier V, Delaune S (2009) Safely composing security protocols. Form Methods Syst Des 34(1):1–36 CrossRefMATHGoogle Scholar
  27. 27.
    Datta A, Derek A, Mitchell J, Pavlovic D (2005) A derivation system and compositional logic for security protocols. J Comput Secur 13(3):423–482 Google Scholar
  28. 28.
    Delaune S, Jacquemard F (2006) Decision procedures for the security of protocols with probabilistic encryption against offline dictionary attacks. J Autom Reason 36(1–2):85–124 MathSciNetCrossRefMATHGoogle Scholar
  29. 29.
    Guttman JD, Thayer FJ (2000) Protocol independence through disjoint encryption. In: Proc 13th computer security foundations workshop (CSFW’00). IEEE Comput Soc, Los Alamitos, pp 24–34 CrossRefGoogle Scholar
  30. 30.
    Hao F, Ryan PYA (2008) Password authenticated key exchange by juggling. In: Proc 16th international security protocols workshop. Lecture notes in computer science, vol 6615. Springer, Berlin, pp 159–171 CrossRefGoogle Scholar
  31. 31.
    Hao F, Ryan PYA (2011) How to sync with alice. In: 19th international security protocols workshop. Lecture notes in computer science, vol 7114. Springer, Berlin, pp 170–178 CrossRefGoogle Scholar
  32. 32.
    Jablon D (1996) Strong password-only authenticated key exchange. Comput Commun Rev 26(5):5–26 CrossRefGoogle Scholar
  33. 33.
    Katz J, Ostrovsky R, Yung M (2001) Efficient password-authenticated key exchange using human-memorable passwords. In: Advances in cryptology—EUROCRYPT’01. Lecture notes in computer science, vol 2045. Springer, Berlin, pp 475–494 Google Scholar
  34. 34.
    Lowe G (2004) Analysing protocols subject to guessing attacks. J Comput Secur 12(1):83–98 Google Scholar
  35. 35.
    Malladi S, Alves-Foss J, Malladi S (2002) What are multi-protocol guessing attacks and how to prevent them. In: Proc 11th international workshops on enabling technologies: infrastructure for collaborative enterprises (WETICE 2002). IEEE Comput Soc, Los Alamitos, pp 77–82 Google Scholar
  36. 36.
    Patel S (1997) Number theoretic attacks on secure password schemes. In: Proc IEEE symposium on security and privacy (S&P’97). IEEE Comput Soc, Los Alamitos, pp 236–247 Google Scholar
  37. 37.
    Ramanujam R, Suresh SP (2005) Decidability of context-explicit security protocols. J Comput Secur 13(1):135–165 Google Scholar
  38. 38.
    Trusted Computing Group (2007). TPM Specification version 1.2. Parts 1–3, revision 103. http://www.trustedcomputinggroup.org/resources/tpm_main_specification

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  • Céline Chevalier
    • 1
  • Stéphanie Delaune
    • 2
  • Steve Kremer
    • 3
  • Mark D. Ryan
    • 4
  1. 1.Université Panthéon-AssasParisFrance
  2. 2.LSVCNRS & ENS CachanCachanFrance
  3. 3.INRIANancyFrance
  4. 4.School of Computer ScienceUniversity of BirminghamBirminghamUK

Personalised recommendations